[CFRG] Re: Do we have unsafe uses of Ed448 and Ed25519? Fix, Ed448?
Daniel Huigens <daniel.huigens@proton.ch> Wed, 11 September 2024 21:26 UTC
Return-Path: <daniel.huigens@proton.ch>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5021C1388BA for <cfrg@ietfa.amsl.com>; Wed, 11 Sep 2024 14:26:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=proton.ch
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O501s_e4_xYu for <cfrg@ietfa.amsl.com>; Wed, 11 Sep 2024 14:26:21 -0700 (PDT)
Received: from mail-4323.proton.ch (mail-4323.proton.ch [185.70.43.23]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0C38C17C8A5 for <cfrg@irtf.org>; Wed, 11 Sep 2024 14:26:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proton.ch; s=d4r3ixjjtvd3dclfh3uked26ee.protonmail; t=1726089978; x=1726349178; bh=xy8NatkHFFUOxjNwJZiEsDp8/J2QRJcrTbDUQnQL7DA=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=o48qWAQTqzXZWXbPDpFQPaZVfTKNgRbuDKFQkodYzeBJTIJBl5HiyDCP7nZIVOx5V YdRpKxAS4UB1aNh30N7G0q7Di5dT2GYUDEGDuWYSFtSPNIByHaawrjeyGggPvFKRfp VUKJ9OTAznXSlXMjoj9IWe3T3zAm5hFKSp7Ge6DYrKaeCJOSWXAoF5W48ft4JXz1FU 9rQgnpo5bN1Xf9Jy3QbwNV+3/qJAmbrvLXajeCsCZyOZzN8kExIL0BFdU1uJCztdxn Yb6EBbTQMs3pXO1kzOMS+Fu1nv0xM4C6R5WdMvVdipR5SzpqvnJTFxxj253hGJKEIW GLwt6E7nQY5Rg==
Date: Wed, 11 Sep 2024 21:26:14 +0000
To: Mike Hamburg <mike@shiftleft.org>
From: Daniel Huigens <daniel.huigens@proton.ch>
Message-ID: <OV7i63Kz9_IMuFlqp6KSQMuK7kd69XgYV5PQ54cb1CLZWvQZJcdG8lejYhsdOGQbuupqW62NkAyoNyE5kYw78ScsOcmFRDskI_AavmQJ-2c=@proton.ch>
In-Reply-To: <CA345BC5-C207-4212-A556-EC2DF6E304EF@shiftleft.org>
References: <f49bcf97-1612-4252-b682-60b7a868f500@gmail.com> <CA345BC5-C207-4212-A556-EC2DF6E304EF@shiftleft.org>
Feedback-ID: 37000915:user:proton
X-Pm-Message-ID: a490485bb3bb133fc5956c13a5aa221ae19d0600
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: N5RXPQCFEXRQ5CYKVKVDKFFJF6OPVMIB
X-Message-ID-Hash: N5RXPQCFEXRQ5CYKVKVDKFFJF6OPVMIB
X-MailFrom: daniel.huigens@proton.ch
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Dan Brown <dan.brown.cryptographer@gmail.com>, cfrg@irtf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Re: Do we have unsafe uses of Ed448 and Ed25519? Fix, Ed448?
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/fCS5qsR_TDDBjBj9jtAWJZElGKI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>
Hi Mike, On Wednesday, September 11th, 2024 at 22:35, Mike Hamburg wrote: > Phillip points out that this vulnerability applies to EdDSA with prehash mode, because it doesn’t have a firewall at all, except between “yes prehash” and “no prehash". EdDSA uses a fixed hash function internally: SHA-512 for Ed25519, or SHAKE256 for Ed448. But the prehash mode signs the hash of a message, without indicating what hash function was used. Ed25519ph and Ed448ph do indicate which pre-hash functions are used, by simply hardcoding them - to the same functions that are used inside PureEdDSA: SHA-512 for Ed25519 and SHAKE256 for Ed448. And as specified, the message is pre-hashed inside the function, so there should be no risk of using the wrong one - although some implementations do allow passing a hash that was computed externally by the application, but obviously to remain compliant it needs to use the specified hash function (and this is usually properly documented as far as I've seen). > So if an attacker can convince a victim to use a weak hash for verification .. then they wouldn't be using Ed25519ph or Ed448ph, but some broken variant of it. I don't think there's much we can do to protect against that. Phillip's message, as I understood it, was more about the case where the signer decides to use e.g. Ed448(SHA512(M)) rather than Ed448ph(M) because they don't like SHAKE, or so. That's when the hash function firewall is missing, and the context parameter could be used to add it back. Best, Daniel
- [CFRG] Do we have unsafe uses of Ed448 and Ed2551… Dan Brown
- [CFRG] Re: Do we have unsafe uses of Ed448 and Ed… Mike Hamburg
- [CFRG] Re: Do we have unsafe uses of Ed448 and Ed… Daniel Huigens
- [CFRG] Re: Do we have unsafe uses of Ed448 and Ed… Mike Hamburg